Bug#1012179: CVE-2021-46143: Integer overflow in expat can be found on libxmltok

Tue, 31 May 2022 07:42:17 -0700 

Package: libxmltok
Version: 1.2-4
Severity: normal
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu kinetic ubuntu-patch

Dear Maintainer,

While triaging CVE-2021-46143 for expat, it was found that one part of
the reported integer oveflow, in doProlog() in xmlparse.c, is also
present in libxmltok.
So, I'm suggesting to apply this patch for libxmltok in Debian as well.

In Ubuntu, the attached patch was applied to achieve the following:

  * SECURITY UPDATE: Integer overflow
    - debian/patches/CVE-2021-46143.patch: add an integer overflow check
      for groupSize variable at doProlog() in xmlparse/xmlparse.c.
    - CVE-2021-46143


Thanks for considering the patch.


-- System Information:
Debian Release: bookworm/sid
  APT prefers jammy-updates
  APT policy: (500, 'jammy-updates'), (500, 'jammy-security'), (500, 'jammy'), 
(100, 'jammy-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.15.0-33-generic (SMP w/8 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru libxmltok-1.2/debian/patches/CVE-2021-46143.patch 
libxmltok-1.2/debian/patches/CVE-2021-46143.patch
--- libxmltok-1.2/debian/patches/CVE-2021-46143.patch   1969-12-31 
21:00:00.000000000 -0300
+++ libxmltok-1.2/debian/patches/CVE-2021-46143.patch   2022-05-30 
16:58:54.000000000 -0300
@@ -0,0 +1,29 @@
+Description: backport of libexpat upstream patch
+ Backport of libexpat patch that is included in libxmltok:
+ Prevent integer overflow on groupSize in function doProlog
+Author: Rodrigo Figueiredo Zaiden <rodrigo.zai...@canonical.com>
+Origin: upstream, 
https://github.com/libexpat/libexpat/commit/82c11af9d3dafc1b086a15efecd6ec07b6e13613
+Bug: https://github.com/libexpat/libexpat/issues/532
+Forwarded: no
+Last-Update: 2022-05-27
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- libxmltok-1.2.orig/xmlparse/xmlparse.c
++++ libxmltok-1.2/xmlparse/xmlparse.c
+@@ -2616,9 +2616,14 @@ doProlog(XML_Parser parser,
+ #endif /* XML_DTD */
+     case XML_ROLE_GROUP_OPEN:
+       if (prologState.level >= groupSize) {
+-      if (groupSize)
++      if (groupSize) {
++        /* Detect and prevent integer overflow */
++        if (groupSize > (unsigned int)(-1) / 2u) {
++          return XML_ERROR_NO_MEMORY;
++        }
++
+         groupConnector = realloc(groupConnector, groupSize *= 2);
+-      else
++  } else
+         groupConnector = malloc(groupSize = 32);
+       if (!groupConnector)
+         return XML_ERROR_NO_MEMORY;
diff -Nru libxmltok-1.2/debian/patches/series 
libxmltok-1.2/debian/patches/series
--- libxmltok-1.2/debian/patches/series 2017-08-10 08:53:42.000000000 -0300
+++ libxmltok-1.2/debian/patches/series 2022-05-30 16:58:54.000000000 -0300
@@ -1 +1,2 @@
 debian-changes.patch
+CVE-2021-46143.patch

Reply via email to